[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] SYN flooding
- Subject: Re: [cobalt-developers] SYN flooding
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Wed Mar 27 11:13:01 2002
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
> Date: Tue, 26 Mar 2002 19:05:30 -0800
> From: CJ Johnson <cj.johnson@xxxxxxx>
(snipping throughout)
> We have enabled syncookies by default since the Qube-2 and
> RaQ-2. There is a slight increase in overhead under extreme
Thanks for clarifying. :-)
> You can use tcpdump to verify the alleged source of the flood.
> If you are being hit with a spoofed attack, you should see a
> TCP RST reply to your system's SYN-ACK. (Because the spoofed
> source didn't actually initiate the connection, it sends a
> reset, rather than continuing with data).
Good point. I neglected to so much as mention backscatter
analysis. Note that, if the spoofed system is down, there will
probably be no backscatter -- unless the impersonated, offline
system is "behind" a [likely stateful] firewall that sends the
RSTs.
> Finally, I would try to back trace the packets. Your upstream
> network ought to help if you can bypass the front line tech
> support (knowing the $$'s figure should help here). From there
> on, you get to enter service provider support hell. Also, if
Some providers are clueless and will simply say "email our inept
'security' department". Others know what to do and will help.
YMWVW. (Your mileage _will_ vary widely.)
> you verify that the source address is spoofed, the spoofee may
> be interested in helping to hunt down the spoofer. Afterall,
> for every SYN you get and SYN-ACK you make, the spoofee gets an
> unexpected SYN-ACK on his network, and has to send a RST.
IIRC, www.caida.org has some nice papers on backscatter analysis.
> If you are still under attack and hit a roadblock tracing the
> packets, send another note. This is an area where friends of
> friends of friends can prove useful, and the Cobalt developer
> list is pretty well connected.
One might also try NANOG. See www.nanog.org for more info. With
all due respect to these lists, the clue quotient is far higher
on NANOG. I consider myself to be rather clued on *ix and
routing, but I'm just a teeny little speck on NANOG. (The flip
side to this is to post wisely, else get shredded or ignored.)
Looks like the origin ASN for www.obsidian-studios.com as AS3967.
In my limited experience, Exodus pricing and service seem to vary
with the sales rep. Beware the one who wants to charge you out
the wazoo for simple things or things that are really part of
standard service. Not sure how the C&W buyout affects things.
I can guarantee you that EXDS has people watching NANOG. I'd be
surprised if they didn't help out, assuming that you couldn't get
anywhere with first-line support.
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.